- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 27 Jan 2016 11:08:28 -0800
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: Mike West <mkwst@google.com>, WebAppSec WG <public-webappsec@w3.org>, Marijn Kruisselbrink <mek@google.com>
On Wed, Jan 27, 2016 at 9:52 AM, Martin Thomson <martin.thomson@gmail.com> wrote: > On 28 January 2016 at 01:25, Anne van Kesteren <annevk@annevk.nl> wrote: >>> When I hear "CORS", I think "Will the foreignorigin's service worker be able >>> to respond to OPTIONS requests?" because that sounds dangerous. I assume >>> preflights will continue to skip both service workers? >> >> Yes. Opting into foreign fetch is the equivalent of OPTIONS. > > It's the middle of the night, but this doesn't parse. If foreign > fetch is the equivalent of OPTIONS, then isn't it reasonable to permit > intercept of OPTIONS requests? Or omit the OPTIONS requests entirely > in this case? I meant the latter. We would not issue an OPTIONS fetch. CORS OPTIONS is a check to see if the server is CORS-aware. Here the service worker obviously is aware of cross-origin fetches. -- https://annevankesteren.nl/
Received on Wednesday, 27 January 2016 19:08:56 UTC